The following technique will work: 1) add a new special group; 2) adding SF to that group and only having SF in that group; 3) changing the group of the file with 600 permission to the new special group; 4) change the group access permission to add R to the file so that it is 640. This means that the file will be group readable by SF but since SF is the only userid in that group, only SF can read the file.
This will work so long as the permissions and group ownership do not change. In my case, the initial test worked, but the file got reverted, so this is not a workable solution.
I am still left with SF as non-root but unable to read root 600 files.
I think the Splunk Forwarder product should come with a special read module that can be rooted so that it can read root 600 files even though the rest of SF is installed non-root.
... View more